85 Health Insurance Portability and Accountability Act (HIPAA)

Approved by President
Effective Date: January 12, 2021
Responsible Division: Business and Finance
Responsible Office:  Compliance and Enterprise Risk Management
Responsible Officer: Assistant Vice President for Compliance and Enterprise Risk Management

I. Purpose

This policy ensures Middle Tennessee State University’s (MTSU or University) compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Act). The Campus Pharmacy is covered under the Act as a covered entity and healthcare provider. 

II. Background

HIPAA (Pub. L. 104-191) sets forth national standards to protect individually identifiable health information by certain covered entities. The Act additionally requires information technology security protections for electronically stored and transmitted healthcare data sets and provides certain patient protections and rights regarding access to individual health information.

III. Scope

As a healthcare provider and HIPAA covered entity, the staff, student workers, interns, part-time employees, and healthcare business associates of Campus Pharmacy are covered under this policy. Additionally, the policy covers all areas of the University for which healthcare documentation is transmitted to external agencies for healthcare operations or treatment purposes including, but not limited to, University Counseling services, the University Speech Clinic, and the Dyslexia Center.

IV. Definitions

A.  Breach Log. A log of all breaches of unsecured protected health information (PHI).

B.  Business Associate. A person or entity contracted by covered entities to provide certain health care activities or functions on behalf of the covered entity including, but not limited to, the use and disclosure of protected health information for healthcare billing services; benefit management services; consulting; repricing; practice management; quality assurance; and utilization review; and claims processing. Business Associates are covered under the HIPAA privacy rule and must provide assurances to covered entity that protected health information will be safeguarded from misuse and will not be used for the business associate’s independent purposes.

C.  Covered Entity. A healthcare provider, health plan, or healthcare clearinghouse. A healthcare provider includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies that transmit healthcare information in an electronic format in connection with a Department of Health and Human Services (HHS) adopted standard. Health plans include: health insurance companies, health maintenance organizations (HMOs), company health plans, and government funded healthcare programs, such as Medicare, Medicaid, and the military and veterans’ health care programs.  Healthcare clearinghouses are entities that process nonstandard health information, received from another agency, into standard, electronic data or content.

D.  Protected Health Information (PHI). The most common protected health information includes the following:

1.  Name

2.  Street address

3.  Zip code